Gluu is working on a free open source app called Cred Mgr:
github.com/GluuFederation/cred-mgr
As the name suggests, this app is a user-facing application that let's
the person reset existing credentials and register new credentials. To
avoid degrading the security of credentials, we want to make sure that a
person can only reset a credential if they present one with equal or
greater stength, or "level"
Cred-mgr knows the level, because we are returning it as the first value
in the amr array in the id_token. We are also publishing a mapping of
amr values to acr values in the OP discovery page. For example:
"auth_level_mapping": {
"50": ["http://example.com/saml";],
"10": ["http://example.com/u2f";, "http://example.com/duo";],
"1": ["http://example.com/pw";]
},
If we could agree on this appraoch, then it could be interoperable
across domains. I don't see any other solutions being proposed, so no
one can figure out how to properly handle multi-factor credential reset
in a standard way.
- Mike
-------------------------------------
Michael Schwartz
Gluu
Founder / CEO
m...@gluu.org
http://support.gluu.org
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
